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^ ■ We show that the Double Coset Membership problem for permutation groups 

possesses perfect zero-knowledge proofs. 

1 Introduction 

'sf ; 1.1 Definition of the problem 

^ ■ 

O ' Let Sm be a symmetric group of order m. We suppose that an element of S'm, 

^ ■ a permutation of an m-element set, is encoded by a binary string of length n = 

("log2m!], m(log2m — 0(1)) < n < mloggm. Whenever we refer to a permutation 
group G, we mean that G is a subgroup of Sm for some m. Throughout the paper 
^ I we assume that permutation groups are given by a list of their generators. 

' In this paper we address the following algorithmic problem considered first by 

Luks [21]. 

DCM (Double Coset Membership) 

Given: two permutations a and r and two permutation groups G and H, all of the 
same order. 

Recognize if: a G GtH. 



1.2 Current complexity status 

For the background on computational complexity theory the reader is referred 
to [10]. 

DCM is in the class NP by the Babai-Szemeredy Reachability Theorem [5]. This 
theorem says that, given any set S of generators of a finite group G and any g E G, 
there exists a sequence of elements Ui, ... ,ui of G such that the following conditions 
are met. 
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1. Each Ui either belongs to S or is obtained by the inversion or the group oper- 
ation from one or two previous elements of the sequence. 

2. ui = g. 

3. l<{l + \og,\G\f. 

As (7 e GtH iff T~^a e {t~^Gt)H, DCM admits the following reformulation. 
DCM (An equivalent formulation) 

Given: a permutation s and two permutation groups G and if, all of the same order. 

Recognize if: s G GH. 

Consider two related problems, the first one easier and the second one harder 
than DCM. 

Membership in a Permutation Group 

Given: a permutation s and a permutation group G of the same order. 
Recognize if: s & G. 

Membership in a 3-fold Group Product 

Given: a permutation s and three permutation groups G, H, and K, all of the same 
order. 

Recognize if: s G GHK. 

It is known that the former problem is solvable in polynomial time [25, 9] and 
that the latter problem is NP-complete [22] . There are evidences that the complex- 
ity of DCM is strictly in between. On the one hand, the problem of recognition 
if two given graphs are isomorphic is polynomial-time reducible to DCM [21], see 
also Proposition 3.2 below. DCM is therefore not expected to be solvable in poly- 
nomial time as long as the Graph Isomorphism problem is not solved in polynomial 
time (the currently best algorithm due to Luks and Zemplyachenko runs in time 
exp(0(^nlogn)) for graphs on n vertices, see [3]). On the other hand, DCM be- 
longs to the complexity class coAM (see Subsection 2.1 for the definition). By [8], if 
NP is a subclass of coAM, then the polynomial-time hierarchy of complexity classes 
collapses to its second level, i.e., = 11^ (see [10]). As the latter consequence is 
widely considered unlikely, it is unlikely that DCM is NP-complete. 

Like the membership in coAM, some other complexity-theoretic results known 
for Graph Isomorphism also generalize to DCM. Both the problems have program 
checkers [7], and both are low for the complexity class PP [20]. 

It is worth noting that several other group-theoretic problems are polynomial- 
time equivalent with DCM. We mention a few examples from the list of such prob- 
lems compiled in [21, 19]: Given permutation groups G, H and permutations cr, r, 
(a) find generators for G (1 H; (b) recognize if Ga and Hr intersect; (c) if cr G G, 
find the centralizer of a in G; (d) if a, r G G, recognize if the centralizer of r in 
intersects Ga. In [7] it is shown that DCM is equivalent with the problem, given 
s G GH, to find a factorization s = gh with g E G and h E H. 
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1.3 Our result 

A natural question to ask about an NP problem whose polynomial-time solvability 
and NP-completeness are unknown is if it possesses a perfect or a statistical zero- 
knowledge interactive proof system. Informally speaking, a zero-knowledge proof 
system for a recognition problem of a language L is a protocol for two parties, the 
prover and the verifier, that allows the prover to convince the verifier that a given 
input belongs to L, with high confidence but without communicating the verifier 
any information (the rigorous definitions are in Subsection 2.1). 

The concept of a zero-knowledge proof has notable applications in designing 
cryptographic protocols and in estimating the computational complexity of a lan- 
guage recognition problem. Namely, by [1] the class PZK of languages having perfect 
zero-knowlcdgc proof systems is a subclass of coAM. Thus, the existence of a perfect 
zero-knowledge proof of the membership in L not only has a cryptographic meaning 
but also imphes that L is in coAM and hence cannot be NP-complete unless the 
polynomial-time hierarchy collapses. 

For the Graph Isomorphism problem, its membership in coAM was proven di- 
rectly in [24] and its membership in PZK was proven in [14]. For DCM, the proof 
of its membership in coAM given in [4] is direct. In the present paper we prove that 
DCM is also in PZK. We therefore extend the list of problems in PZK that currently 
includes Graph Isomorphism [14], Quadratic Residuosity [16], a problem equivalent 
to Discrete Logarithm [13], and approximate versions of the Shortest Vector and 
Glosest Vector problems for integer lattices [11]. 

2 Background on zero-knowledge proofs 

2.1 Definitions 

We denote the length of a binary word w by \w\. We consider languages over the 
binary alphabet which are subsets of {0, 1}*. The complement of L is the language 
L = {0,1}*\L. Note that the DCM problem can be represented as a recognition 
problem for the language L — {{s,G,H) : s & GH}, where (s, G, H) is a suitable 
binary encoding of the triplet consisting of a permutation s and the lists of generators 
for permutation groups G and H . 

We use the standard computational model of a deterministic Turing machine, 
abbreviated further on as TM. We assume that a TM has three tapes, namely, 
the input tape, the output tape, and the work tape where all computations are 
performed. 

A probabilistic TM, abbreviated further on as PTM, in addition has the fourth 
tape containing a potentially infinite random binary string. Assuming that a PTM 
halts on input w and random string r, we denote its running time by t{w,r). A 
PTM is polynomial-time if t{w,r) is bounded by a polynomial in \w\ for all w and 
r. Assuming that a PTM halts on w for almost all r, the function t{w, r) for a fixed 
w can be considered as a random variable on the probability space {0, l}'^ of all 
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random strings. A PTM is expected polynomial-time on L C {0, 1}* if for all w e L 
the expectation of t{w,r) is bounded by a polynomial in \w\. 

An interactive proof system {V, P), further on abbreviated as IPS. consists of two 
PTMs, a polynomial-time V called the verifier and a computationally unlimited 
P called the prover. The input tape is common for the verifier and the prover. 
The verifier and the prover also share a communication tape which allows message 
exchange between them. The system works as follows. First both the machines 
V and P arc given an input w and each of them is given an individual random 
string, ry for V and rp for P. Then P and V alternatingly write messages to one 
another in the communication tape. V computes its i-th message to P based 
on the input w, the random string ry, and all previous messages from P to V. P 
computes its i-th message 6j to V based on the input w, the random string rp, 
and all previous messages from V to P. After a number of message exchanges V 
terminates interaction and computes an output based on w, ry, and all bi. The 
output is denoted by {V,P){w). Note that, for a fixed w, {V,P){w) is a random 
variable depending on both random strings ry and rp. 

Let e{n) be a function of a natural argument taking on positive real values. We 
call e(n) negligible if e(n) < n""^ for every c and all n starting from some no(c). For 
example, an exponentially small function e(n) = rf^", where > 1, is negligible. 

We say that {V, P) is an IPS for a language L with error e(n) if the following 
two conditions are fulfilled. 

Completeness. If w e L, then (V, P){w) — 1 with probability at least 1 — edw]). 
Soundness. U w ^ L, then, for an arbitrary interacting PTM P*, {V,P*){w) — 1 
with probability at most e(|ty|). 

We will call any prover P* interacting with P on input w ^ L cheating. If in the 
completeness condition we have {V, P){w) — 1 with probability 1, we say that {V, P) 
has one-sided error e(n). 

We say that (V, P) is an IPS for a language L if {V, P) is an IPS for L with 
negligible error. 

An IPS is public- coin if the concatenation oi . . .Ofe of the verifier's messages is 
a prefix of his random string ry. A round is sending one message from the verifier 
to the prover or from the prover to the verifier. The class AM consists of those 
languages having IPSs with error 1/3 and with number of rounds bounded by a 
constant for all inputs. A language L belongs to the class coAM iff its complement 
L belongs to AM. 

Given an IPS {V,P) and an input w, let viewyp(-u7) = {ry,ai,bi, . . . ,ak,bk) 
where r'y is a part of ry scanned by V during work on w and ai,bi, . . . ,ak,bk are all 
messages from P to F and from V to P {ai may be empty if the first message is sent 
by P). Note that the verifier's messages ai, . . . , could be excluded because they 
are efficiently computable from the other components. For a fixed w, viewy^p(u') is 
a random variable depending on ry and rp. 

An IPS {V, P) is perfect zero-knowledge on L if for every interacting polynomial- 
time PTM V* there is a PTM My*, called a simulator, that on every input w e L 
runs in expected polynomial time and produces output My* (w) which, if considered 
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as a random variable depending on a random string of My* , is distributed identically 
with viewv*,p{w). The latter condition means that 

P [Mv*{w) = z] = P [yiew v*,p{w) = z] for all z. 

If only a weaker condition that 

|P [Mv*{w) = z] —P [viewv*_p(w) = z]\ is negligible 

z 

is true, we call {V, P) statistical zero-knowledge. These notions formalize the claim 
that the verifier gets no information during interaction with the prover: Everything 
that the verifier gets he can get without the prover by running the simulator. 

According to the definition the verifier learns nothing even if he deviates from the 
original program and follows an arbitrary probabilistic polynomial-time program V*. 
We will call the verifier V honest and all other verifiers V* cheating. If the existence 
of a simulator is claimed only for the honest verifier, we call such a proof system 
honest-verifier perfect (or statistical) zero-knowledge. 

The class of languages L having IPSs that are perfect (rcsp. statistical) zero- 
knowledge on L is denoted by PZK (resp. SZK). Recall that the error here is sup- 
posed negligible. 

The k{n)-fold sequential composition of an IPS (V, P) is the IPS (y\P') in 
which V and P' on input w execute the programs of V and P sequentially 

times, each time with independent choice of random strings ry and rp. At the end 
of interaction V outputs 1 iff (V,P)('u;) = 1 in all A;(|'u;|) executions. The initial 
system (V, P) is called atomic. 

In the k{n)-fold parallel composition {V",P") of {V,P), the program of (V, P) 
is executed /cdwl) times in parallel, that is, in each round all versions of a 

message are sent from one machine to another at once as a long single message. In 
every parallel execution V" and P" use independent copies of ry and rp. At the 
end of interaction V outputs 1 iff {V,P){w) = 1 in all executions. 

2.2 Known results on zero-knowledge proofs 

We first notice a simple property of sequential composition of IPSs. 

Proposition 2.1 If (V, P) is an IPS for a language L with one-sided constant error 
€, then the k{n)-fold sequential composition of {V, P) is an IPS for L with one-sided 
error e^^'^^ . 

Parallel composition obviously preserves the number of rounds, the public-coin 
property, and the property of error to be one-sided. It is not hard to prove that 
/c-fold parallel composition reduces the one-sided error e to e'^. It is also not hard to 
prove that parallel composition preserves perfect and statistical zero-knowledge for 
the honest verifier. These observations are summarized in the next proposition. 
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Proposition 2.2 Assume that {V, P) is a honest-verifier perfect zero-knowlcdgc 
pubhc-coin IPS for a language L that on all inputs works in a constant c rounds 
with one-sided constant error e. Then k{n)-fold parallel composition of {V,P) is a 
honest-veriher perfect zero-knowledge IPS for L that works in c rounds with error 

^k{n) _ 

We also refer to the following deep results in the theory of zero-knowledge proofs. 
Proposition 2.3 (Aiello-Hastad [1]) SZKQ coAM. 
Proposition 2.4 (Okamoto [23]) 

1. Every honest-veriher statistical zero-knowledge IPS for a language L can be 
transformed in an honest-verifier statistical zero-knowledge public-coin IPS 
forL. 

2. If L has an honest-verifier statistical zero-knowledge public-coin IPS, then L 
has a honest-verifier statistical zero-knowledge constant-round IPS. 

Note that the item 2 of Proposition 2.4 strengthens Proposition 2.3 because by [17] 
every IPS can be made public-coin at cost of decreasing the number of rounds in 2. 

Proposition 2.5 (Goldreich-Sahai-Vadhan [15]) Every honest-verifier statisti- 
cal zero-knowledge public-coin IPS for a language L can be transformed in a general 
statistical zero-knowledge public-coin IPS for L. If the error of the initial IPS is 
one-sided, so is the error of the resulting IPS. 

Note that, to achieve the negligible error, the transformation of Proposition 2.5 

makes the number of rounds increasing with the input size increasing, even if the 
initial IPS is constant-round. A transformation preserving the constant number 
of rounds is known only under an unproven assumption about the hardness of the 
Discrete Logarithm problem (the formal statement of the assumption can be found 
in [6]). 

Proposition 2.6 (Bellare-Micali-Ostrovsky [6]) Suppose that a language L has 
an honest-veriher statistical zero-knowledge IPS that on every input w works in 
c(|ty|) rounds with error at most 1/3. Then, under the assumption on the hardness 
of Discrete Logarithm, L has a general statistical zero-knowledge IPS that on input 
w works in 0(c(|w|)) rounds with exponentially small error. 

3 Background on permutation groups 

Given a finite set X, by a random element oiX we mean a random variable uniformly 
distributed over X. 

Proposition 3.1 (Sims [25, 9]) 
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1. There is a polynomial-time algorithm for recognizing the Membership in A 
Permutation Group. 

2. There is a probabilistic polynomial-time algorithm that, given a list of gener- 
ators for a permutation group G, outputs a random element of G. 

The DCM problem is at least as hard as testing isomorphism of two given graphs. 

Proposition 3.2 (Luks [21], HofFmann [18]) The Graph Isomorphism problem 
is polynomial-time reducible to DCM. 

We include a proof for the sake of completeness. 

Proof. Consider two graphs of order n with adjacency matrices A — (ajj) and 
B = (bij). Let Si = : = 1} and S2 ■ hj = 1}. 

Let G be the group of permutations of the square {1, . . . ,n}^ generated by si- 
multaneous transpositions of i-ih. and j-th rows and i-ih. and j-th columns for all 
1 ^ ^ < J ^ ^- The graphs are isomorphic iff G contains a permutation a such that 
^(^i) = S2. 

Let H be the group of permutations r such that t(5'i) = S\ and s be an arbitrary 
permutation such that s{Si) — 82- As easily seen, a permutation a as above exists 
iff s e GH. □ 

Note that the reduction described allows one to transform any zero-knowledge 
proof system for DCM in a zero-knowledge proof system for Graph Isomorphism. 

4 Zero- knowledge proofs for DCM 

Theorem 4.1 The DCM problem has an honest-verifier perfect zero-knowledge 
three-round public-coin IPS with one-sided error 1/2. 

Proof. On input (s, G, H) such that s e GH the IPS (V, P) proceeds as follows. 
1st round. 

P generates random elements g E G and h E H, computes t = gsh, and sends t to 
V. V checks if i is a permutation of the given order and if not (this is possible in 
the case of a cheating prover) halts and outputs 1. 

2nd round. 

V chooses a random bit b e {0, 1} and sends it to P. 

3rd round. 

Case b = 0. P sends V permutations g and h. V checks if g E G, h E H, and 
t = gsh. 

Case 6 7^ (this includes the possibility of a message b ^ {0, 1} produced by a 
cheating verifier). P decomposes s into the product s — goho with go E G and 
ho e H, computes gi = ggo and hi — hoh, and sends gi and hi to V. V checks if 
gi E G, hi E H, and t = gihi. 

V halts and outputs 1 if the conditions are checked successfully and otherwise. 
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This IPS is obviously public-coin. We need to check that this is indeed an IPS for 
DCM with one-sided error 1/2 and, moreover, that this is a honest- verifier perfect 
zero-knowledge IPS. 

Completeness. If s G GH, then it is clear that V outputs 1 with probability 1. 

Soundness. Assume that s ^ GH and consider an arbitrary cheating prover P*. 
Observe that if both t — gsh, g e G, h E H and t — gihi, gi e G, /ii G H, then 
s e GH. It follows that, for at least one value oi b, V outputs and therefore V 
outputs 1 with probability at most 1/2. 

Zero-knowledge. Assume that s G GH. During interaction with P, V sees 
viewv,p(s, G, H) = (6, t, b, g', h') where g' and h' are received by V in the 3rd round. 
If 6 = 0, then t = gsh, g' = g, and h' = h. If 6 = 1, then t = g'h', g' = ggo, and 
h' — hoh. In both the cases g' and h' are random elements of G and H respectively. 
The random variable viewv,p(s, G, ff) can be therefore generated by the following 
simulator: Generate a random bit b and random elements g' E G and h' G H; If 
6 = 0, set t = g'sh'; If 6 = 1, set t = g'h'. □ 



CoroIIciry 4.1 The DCM problem has an honest-veriGer perfect zero-knowledge 
three-round public-coin IPS with one-sided error 2~". 

Proof. By Proposition 2.2 the n-fold parallel composition of the IPS from 
Theorem 4.1 reduces the error to 2~" and preserves the properties of the atomic 
system. □ 

Let Double Coset Non-Membership, abbreviated as DCNM, be the prob- 
lem opposite to DCM, that is, given a permutation s and two permutation groups 
G and H, to recognize if s ^ GH. The DCNM problem is clearly polynomial-time 
equivalent with recognition of the set-theoretic complement of DCM, where the 
latter is encoded as a language in the binary alphabet. 

Corollary 4.2 DCNM has an honest-verifier statistical zero-knowledge constant- 
round IPS. 

Proof. The corollary follows from Corollary 4.1 by Proposition 2.4. 

We also give an alternative direct proof of this claim describing an honest- verifier 
perfect zero-knowledge two-round IPS {V,P) for DCNM with one-sided error 1/2. 
This system, for the case of permutation groups, generalizes the IPS suggested in 
[2] for the problem of testing the membership in a finite group given by a list of 
generators and an oracle access to the group operation. 

On input (s, G, H) such that s ^ GH the system works as follows. 

1st round. 

V chooses a random bit b to be the first bit of a random string ry and, based on 
the subsequent bits of ry, generates random elements g E G and h E H. If 6 = 0, 

V computes t = gh; U b = 1, V computes t = gsh. Then V sends t to P. 

2nd round. 

P recognizes if f G GH. If so, P sets a — 0; If not, P sets a — 1. Then P sends a 
to V. 



8 



V checks ii a — b and halts. If the equality is true, V outputs 1; Otherwise V 
outputs 0. 

Completeness. Assume that s ^ GH. In the first round, t e GH if 6 = and 
t ^ GH if 6 = 1. Therefore V outputs 1 with probabihty 1. 

Soundness. Assume that s e GH. Then t e GH regardless of the value of 
b. Moreover, t is the product of random elements of G and H and, as a random 
variable, is independent of the random variable b. It follows that in the second round 
a message from the cheating prover P* to V, which is a function of s, G, H, rp*, 
and t, is equal to b with probability at most 1/2. Hence (V, -P*)(s, G,H) — 1 with 
probability at most 1/2. 

Zero-knowledge. Assume that s ^ GH . During interaction with P, V sees 
viewi/_p(s, G, i?) = (ry,t, a), where a equals the first bit b of r'y. The simulator 
therefore just generates a random string ry, extracts the first bit b from it, sets 
a — b, based on the remaining bits of ry computes g and h, based on b, g, and 
h computes t, and sets r'y to be the prefix of ry that was actually used for these 
purposes. □ 

Corollary 4.3 DCM is in SZK. Moreover, DCM has a statistical zero-knowledge 
public-coin IPS with one-sided error. 

Proof. Apply the transformation from Proposition 2.5 to the IPS from Corol- 
lary 4.1. 

Note that another proof of the membership of DCM in SZK can be given by 
applying Propositions 2.4 and 2.5 to the IPS in the alternative proof of Corol- 
lary 4.2. □ 

Corollary 4.4 (Babai-Moran [4]) DCM is in coAM. Therefore DCM is not NP- 
complete unless the polynomial-time hierarchy collapses at the second level. 

Proof This is an immediate consequence of Corollary 4.2 or a consequence of 
Corollary 4.3 based on Proposition 2.3. □ 

Corollciry 4.5 Under the assumption on the hardness of Discrete Logarithm, DCM 
has a constant-round statistical zero-knowledge IPS with exponentially small error. 

Proof. The corollary follows from Theorem 4.1 by Proposition 2.6. □ 

Theorem 4.2 The n-fold sequential composition of the IPS in Theorem 4.1 is a 
perfect zero-knowledge public-coin IPS for DCM with exponentially small error. 
Hence DCM is in PZK. 

Proof Denote the composed IPS by (V, P). As the atomic system is pubhc-coin, 
so is {V, P). By Proposition 2.1 {V, P) is an IPS for DCM with one-sided error 2"". 
We have to prove that (V, P) is perfect zero-knowledge. 
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For each verifier V* interacting with P we describe a probabihstic expected 
polynomial-time simulator My* ■ The My* uses the program of V* as a subroutine. 
Assume that the running time of V* is bounded by a polynomial q{n) in the input 
size. On input w, My* will run the program of V* on input w with random string 
r, where r is the prefix of My.'s random string of length ^(Iwl). In all other cases 
My. will use the remaining part of its random string. 

Work of My* on input w — (s, G, H) consists of \w\ stages, where a stage corre- 
sponds to an iteration of the atomic system. 

Stage i. 

My* chooses random elements gi & G and hi G H and a random bit a € {0, 1}. 
If a = 0, My* computes ti = gishi, If a = 1, it computes ti = gihi. Then My* 
computes hi = V*{w,r,ti, gi, hi, . . . ,ti_i, gi_i, hi_i,ti), the message that V*{w,r) 
sends P in the i-th sequential iteration of the atomic system after receiving P's 
message ti and under the condition that in the preceding iterations P's messages 
were ti, gi, hi, . . . , tj_i, gi-i, hi^i. If bi and a are simultaneously equal to or difi^erent 
from 0, then My* puts Vi = {ti,bi, gi, hi) and proceeds to the {i + l)-th stage. If 
exactly one of 6j and a is equal to 0, then My* restarts the same i-th stage with 
new independent choice of a, gi, hi. 

After all stages are completed, My* halts and outputs (r', vi, . . . , where r' 
is the prefix of r actually used by V* during interaction on input w with the prover 
sending the messages ti, gi, hi, . . . , t\w\,g\w\, h\w\- Notice that it might happen that 
in unsuccessful attempts to pass some stage V* used a prefix of r longer than r'. 

We first check that My* terminates in expected polynomial time whenever s G 
GH. Since V* is polynomial-time, one attempt to pass Stage i, i < \w\, takes 
time bounded by a polynomial in 1^1. Recall that My* is programmed so that a 
and r are independent. Furthermore, a and ti are independent. Indeed, if a = 1, 
then ti = gihi is the product of random elements of G and H. If a = 0, then 
ti = {gigo)ihohi) is such a product as well. Here go E G and ho E H are elements of 
an arbitrary decomposition s = goho. It follows that a and bi are independent and 
therefore an execution of the stage is successful with probability 1/2. We conclude 
that on average each stage consists of 2 executions. Thus, on average My* makes 
2\w\ polynomial-time executions and this takes expected polynomial time. 

We finally need to check that, whenever s G GH, the output My*{w) is dis- 
tributed identically with viewy. ^p(-u;). Notice that both the random variables de- 
pend on y*'s random string r. It therefore suffices to show that the distributions are 
identical when conditioned on an arbitrary fixed r. For < i < \w\, let D\j{w, r) de- 
note the probability distribution of {r' ,Vi, . . . ,Vi) conditioned on r, and Dy»p{w, r) 
denote the distribution of the part of viewy.^p(w) formed up to the i-th sequential 
iteration. With this notation, we have to prove that D^^\w, r) = Dyj p{w,r). Using 
the induction on i, we prove that D\j{w,r) = Dy, p{w,r) for every < i < \w\. 

The base case of i = is trivial. Let i > 1 and assume that 

Di^^{w, r) = UiA = P \D^}p{w, r) = UiA (1) 
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for every value Wj-i. Given assume now that both D]^^{w,r) = and 

D\^}p{w,r) — Ui^i, and under these conditions consider how the i-th compo- 
nents Vi = (ti,bi, gi, hi) are distributed in Ui — Ui-iVi according to D\^{w,r) and 
Dy* p{w,r). We will show that 



{w,r) 



D 



V*,P 



{w,r) = Ui_iVi 



(2) 



Ui-l 



for every value Vi. Together with (1) this will imply the identity of D\^{w,r) and 

To prove (2), we will show that according to the both conditional distributions 
Vi is uniformly distributed on the set 

S^{{t,b,g,h) : te GH, b = V*{w, r, m-i, t), g e G, h e H, 
t = gsh a b = and t = gh a b ^ o}. 

Given t and s, define sets R(t) = {{g,h) : g ^ G, h & H, gh = t} and Rs{t) — 
{{g,h) : g & G, h & H, gsh — t}. The first claim of the following lemma appeared 
in [18]. 

Lemma 4.1 Let k = \G D H\. Assume that s — gohg with go e G and ho e H. 
Then the following statements are true. 

1. Every t e GH has k representations t — gh with g E G and h E H, i.e., 
\R{t) \ — k. Ift — gihi, then all other representations are 

t = {9im-'h), (3) 

where f ranges over group G H H. 

2. For every t, the mapping a{g, h) — {ggo, hgh) is one-to-one from Rs{t) to R{t). 

3. Every t G GH has k representations t = gsh with g E G and h E H, i.e., 
\Rsit)\ = k. 

4. If (f) : G X H ^ GH is dehned by (l){g,h) = gh, then = k for every 
t E GH. 

5. If i/j : G X H ^ GH is defined by ip{g, h) — gsh, then \%l)~^{t)\ = k for every 
t E GH. 

6. Ift = gh is the product of uniformly distributed random elements g E G and 
h E H, then t is uniformly distributed on GH. 

7. If a uniformly distributed random pair {g,h) E GxH is conditioned on gh = t 
for an arbitrary fixed t E GH, then {g, h) is uniformly distributed on R{t). 
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8. If t — gsh and g ^ G and h E H are uniformly distributed random elements, 
then t is uniformly distributed on GH . 

9. If a uniformly distributed random pair {g,h) G GxH is conditioned on gsh = t 
for an arbitrary fixed t e GH, then {g, h) is uniformly distributed on Rs{t). 

Proof. We first prove Item 1. Let e denote the identity permutation. Clearly 
that we have at least k representations of the form (3). On the other hand, every 
representation t — ghis of this form. Indeed, we have {g~^ g\){h\h~^) — e and hence 
both g~^gi and hih~^ arc simultaneously in G and in H. 

To prove Item 2, observe that a is indeed from Rs{t) to R{t). The map a'{g, h) — 
{ggo^, hQ^h) is easily seen to be from R{t) to Rs{t) and inverse to a. 

Items 1 and 2 imply Item 3, Item 3 implies Item 5, and Item 5 implies Item 8. 
Item 1 implies Item 4, and Item 4 implies Item 6. Items 7 and 9 are true by the 
definition of R{t) and Rs{t). □ 

The distribution Dy* p{w,r) conditioned on D\^J'p{w,r) — Ui-i is samplable 
as follows. Choose random elements g E G and h G H . Compute ti = gsh and 
bi = V*{w,r,Ui-i,ti). If bi = 0, set gi = g and hi = h, otherwise set gi = ggo and 
hi = hoh. Clearly, this distribution of (tj, b^, gi, hi) is over S. 

By Item 8 of Lemma 4.1, t^ is uniformly distributed on GH. If &j = 0, then 
by Item 9 of Lemma 4.1, for every fixed ti, the pair {gi,hi) is uniformly distributed 
on Rs{t). If bi 7^ 0, then by Item 2 of Lemma 4.1, for every fixed ti, the pair 
{gi,hi) is uniformly distributed on R{t). It follows that Dy» p{w,r) conditioned on 
D\r*^p{w,r) = Ui-i is uniform on S. 

Consider now the sampling procedure for the distribution D\f{w, r) conditioned 
on £)]^^^(u^, r) = Ui-i as in the description of the simulator My . Under the condition 
that a = 0, by Items 8 and 9 of Lemma 4.1, ti is distributed uniformly over GH and 
for every fixed value of ti, the pair (gi, hi) is uniformly distributed over Rs{t). Under 
the condition that a = 1, by Items 6 and 7 of Lemma 4.1, ti is distributed uniformly 
over GH and for every fixed value of ti, the pair {g^, hi) is uniformly distributed over 
R{t). This leads to an equivalent samphng procedure: Choose a random ti G GH, 
compute bi = V*{w,r,Ui-i,ti); If bi = 0, choose a random pair {gi,hi) in Rs{ti), 
otherwise in R{t). It follows that D]^{w,r) conditioned on D]^^{w,r) — is 
uniform on 5". □ 

Remcirk 4.1 The simulator in the proof of Theorem 4.2 is black-box, that is, for 
each V* it follows the same program that uses the strategy of V* as a subroutine. It 
should be noted that by [12] the parallel composition of the IPS in Theorem 4.1 is not 
zero-knowledge with black-box simulator unless DCM is decidable in probabilistic 
polynomial time. 

5 Future work 

A natural question arises if our results can be extended to matrix groups over finite 
fields. One of the reasons why this case is more complicated is that, unlike permuta- 
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tion groups, no efficient test of membership for matrix groups is known. We intend 
to tackle this question in a subsequent paper. 
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